File name:

import os, json, time.py

Full analysis: https://app.any.run/tasks/7ef1232d-810e-4a99-9b70-9ec344a780ee
Verdict: Malicious activity
Analysis date: October 03, 2025, 18:22:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
pyinstaller
arch-exec
Indicators:
MIME: text/x-script.python
File info: Python script, ASCII text executable, with CRLF line terminators
MD5:

27514B7F191E1DE211FD7C7E3A2C658C

SHA1:

6ED4B1BC0324DD6BCEF09A70670E3D2FD8069DA5

SHA256:

D88DD100D3E8E2DDB9AEE377CC56C023FBA211BBEBBF6255318CA5CA70D7924F

SSDEEP:

48:rqmaqv09f40HA99bPjxZnv6nqYTTcsUxRQ7:Wm7v8f42oLjxZv/WAsAQ7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • The process drops C-runtime libraries

      • oszsave.exe (PID: 1312)
      • oszsave.exe (PID: 8100)
      • oszsave.exe (PID: 9752)
    • Process drops python dynamic module

      • oszsave.exe (PID: 1312)
      • oszsave.exe (PID: 8100)
      • oszsave.exe (PID: 9752)
    • Loads Python modules

      • oszsave.exe (PID: 6480)
      • oszsave.exe (PID: 9772)
      • oszsave.exe (PID: 9608)
    • Executable content was dropped or overwritten

      • oszsave.exe (PID: 1312)
      • oszsave.exe (PID: 8100)
      • oszsave.exe (PID: 9752)
      • selenium-manager.exe (PID: 7208)
    • Process drops legitimate windows executable

      • oszsave.exe (PID: 1312)
      • oszsave.exe (PID: 8100)
      • oszsave.exe (PID: 9752)
    • Application launched itself

      • oszsave.exe (PID: 1312)
      • oszsave.exe (PID: 8100)
      • oszsave.exe (PID: 9752)
    • Starts CMD.EXE for commands execution

      • selenium-manager.exe (PID: 7208)
  • INFO

    • Checks supported languages

      • oszsave.exe (PID: 1312)
      • oszsave.exe (PID: 6480)
      • oszsave.exe (PID: 8100)
      • oszsave.exe (PID: 9608)
      • oszsave.exe (PID: 9752)
      • oszsave.exe (PID: 9772)
      • selenium-manager.exe (PID: 7208)
      • chromedriver.exe (PID: 7908)
    • The sample compiled with english language support

      • oszsave.exe (PID: 1312)
      • oszsave.exe (PID: 8100)
      • oszsave.exe (PID: 9752)
      • firefox.exe (PID: 9360)
    • Manual execution by a user

      • oszsave.exe (PID: 1312)
      • firefox.exe (PID: 6240)
      • oszsave.exe (PID: 8100)
      • oszsave.exe (PID: 9752)
      • firefox.exe (PID: 9124)
    • Drops encrypted JS script (Microsoft Script Encoder)

      • oszsave.exe (PID: 6480)
      • oszsave.exe (PID: 9608)
      • oszsave.exe (PID: 9772)
    • Create files in a temporary directory

      • oszsave.exe (PID: 1312)
      • oszsave.exe (PID: 8100)
      • oszsave.exe (PID: 9752)
      • selenium-manager.exe (PID: 7208)
      • chromedriver.exe (PID: 7908)
    • Application launched itself

      • firefox.exe (PID: 6240)
      • firefox.exe (PID: 7072)
      • firefox.exe (PID: 9124)
      • firefox.exe (PID: 9360)
      • chrome.exe (PID: 9876)
    • Reads the computer name

      • oszsave.exe (PID: 1312)
      • oszsave.exe (PID: 6480)
      • oszsave.exe (PID: 8100)
      • oszsave.exe (PID: 9608)
      • oszsave.exe (PID: 9752)
      • selenium-manager.exe (PID: 7208)
      • chromedriver.exe (PID: 7908)
      • oszsave.exe (PID: 9772)
    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 7072)
      • OpenWith.exe (PID: 572)
      • firefox.exe (PID: 9360)
    • PyInstaller has been detected (YARA)

      • oszsave.exe (PID: 1312)
      • oszsave.exe (PID: 6480)
      • oszsave.exe (PID: 8100)
      • oszsave.exe (PID: 9608)
      • oszsave.exe (PID: 9752)
    • Checks proxy server information

      • oszsave.exe (PID: 6480)
      • oszsave.exe (PID: 9608)
      • slui.exe (PID: 10052)
      • oszsave.exe (PID: 9772)
      • selenium-manager.exe (PID: 7208)
    • Reads the software policy settings

      • slui.exe (PID: 10052)
    • Executable content was dropped or overwritten

      • firefox.exe (PID: 9360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
248
Monitored processes
74
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
464"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5556 -prefsLen 39120 -prefMapHandle 5560 -prefMapSize 273089 -jsInitHandle 5564 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5460 -initialChannelId {1007592a-47af-4b5f-829e-d481e0a39039} -parentPid 9360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\vcruntime140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll
572"C:\WINDOWS\System32\OpenWith.exe" "C:\Users\admin\AppData\Local\Temp\import os, json, time.py"C:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1312"C:\Users\admin\Desktop\oszsave.exe" C:\Users\admin\Desktop\oszsave.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\oszsave.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1524"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" --user-data-dir="C:\Users\admin\AppData\Local\Temp\scoped_dir7908_836643232" --field-trial-handle=5388,i,4773716901351334924,9515672304833358210,262144 --disable-features=PaintHolding --variations-seed-version --enable-logging=handle --log-file=5308 --log-level=0 --mojo-platform-channel-handle=5380 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeselenium-manager.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2000\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeoszsave.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2000"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" --user-data-dir="C:\Users\admin\AppData\Local\Temp\scoped_dir7908_836643232" --field-trial-handle=5600,i,4773716901351334924,9515672304833358210,262144 --disable-features=PaintHolding --variations-seed-version --enable-logging=handle --log-file=5660 --log-level=0 --mojo-platform-channel-handle=3396 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2280"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4300 -prefsLen 39120 -prefMapHandle 4520 -prefMapSize 273089 -jsInitHandle 3688 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 3672 -initialChannelId {ca072228-bf00-42b4-a350-5bf2d53f5003} -parentPid 9360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll
2344"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" --user-data-dir="C:\Users\admin\AppData\Local\Temp\scoped_dir7908_836643232" --field-trial-handle=5912,i,4773716901351334924,9515672304833358210,262144 --disable-features=PaintHolding --variations-seed-version --enable-logging=handle --log-file=5920 --log-level=0 --mojo-platform-channel-handle=5804 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2416"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4100 -prefsLen 45014 -prefMapHandle 4104 -prefMapSize 273089 -jsInitHandle 4108 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4116 -initialChannelId {35f2c434-f731-4680-9600-be5fe4b9bfef} -parentPid 9360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
Total events
43 046
Read events
43 034
Write events
11
Delete events
1

Modification events

(PID) Process:(572) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\oregres.dll,-205
Value:
Word
(PID) Process:(572) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@wmploc.dll,-102
Value:
Windows Media Player
(PID) Process:(7072) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(9360) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(9876) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(9876) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(9876) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings
Operation:delete keyName:(default)
Value:
(PID) Process:(9876) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(9876) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(9876) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
Executable files
85
Suspicious files
583
Text files
135
Unknown types
0

Dropped files

PID
Process
Filename
Type
1312oszsave.exeC:\Users\admin\AppData\Local\Temp\_MEI13122\_bz2.pydexecutable
MD5:057325E89B4DB46E6B18A52D1A691CAA
SHA256:5BA872CAA7FCEE0F4FB81C6E0201CEED9BD92A3624F16828DD316144D292A869
1312oszsave.exeC:\Users\admin\AppData\Local\Temp\_MEI13122\_curses.cp313-win_amd64.pydexecutable
MD5:94FF8CCD340074CAAC7ED263D933D86E
SHA256:AC58644674C5DF6D9E4140718A38E8E81751D0368F5C53B909BBEEB03F39B9FF
1312oszsave.exeC:\Users\admin\AppData\Local\Temp\_MEI13122\_ctypes.pydexecutable
MD5:2185849BC0423F6641EE30804F475478
SHA256:199CD8D7DB743C316771EF7BBF414BA9A9CDAE1F974E90DA6103563B2023538D
1312oszsave.exeC:\Users\admin\AppData\Local\Temp\_MEI13122\VCRUNTIME140_1.dllexecutable
MD5:68156F41AE9A04D89BB6625A5CD222D4
SHA256:82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
1312oszsave.exeC:\Users\admin\AppData\Local\Temp\_MEI13122\_wmi.pydexecutable
MD5:E3213CF44340D7B4CB65F7231A65E3A4
SHA256:AB87FE4B0CF5B2B17901905EA86367B9756C44845EB463E77435648F0F719354
1312oszsave.exeC:\Users\admin\AppData\Local\Temp\_MEI13122\_hashlib.pydexecutable
MD5:CF4120BAD9A7F77993DD7A95568D83D7
SHA256:14765E83996FE6D50AEDC11BB41D7C427A3E846A6A6293A4A46F7EA7E3F14148
1312oszsave.exeC:\Users\admin\AppData\Local\Temp\_MEI13122\_ssl.pydexecutable
MD5:CE19076F6B62292ED66FD06E5BA67BBA
SHA256:21CA71B2C1766FC68734CB3D1E7C2C0439B86BCFB95E00B367C5FD48C59E617C
1312oszsave.exeC:\Users\admin\AppData\Local\Temp\_MEI13122\_asyncio.pydexecutable
MD5:70DEC3CE00E5CAF45246736B53EA3AD0
SHA256:8CEF0CD8333F88A9F9E52FA0D151B5F661D452EFBCFC507DC28A46259B82596C
1312oszsave.exeC:\Users\admin\AppData\Local\Temp\_MEI13122\_queue.pydexecutable
MD5:59C05030E47BDE800AD937CCB98802D8
SHA256:E4956834DF819C1758D17C1C42A152306F7C0EA7B457CA24CE2F6466A6CB1CAA
1312oszsave.exeC:\Users\admin\AppData\Local\Temp\_MEI13122\selenium\webdriver\common\linux\selenium-manager
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
49
TCP/UDP connections
252
DNS requests
276
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2756
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
DE
binary
471 b
whitelisted
7072
firefox.exe
POST
142.250.184.195:80
http://o.pki.goog/s/wr3/W6c
US
whitelisted
7072
firefox.exe
POST
200
142.250.184.195:80
http://o.pki.goog/s/wr3/vbw
US
binary
472 b
whitelisted
4392
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
3572
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
DE
binary
313 b
whitelisted
4392
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
7072
firefox.exe
POST
200
142.250.184.195:80
http://o.pki.goog/wr2
US
binary
471 b
whitelisted
4180
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
DE
binary
471 b
whitelisted
7072
firefox.exe
POST
200
104.18.38.233:80
http://ocsp.sectigo.com/
unknown
binary
471 b
whitelisted
7072
firefox.exe
POST
200
142.250.184.195:80
http://o.pki.goog/we2
US
binary
279 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6332
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6016
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5224
SearchApp.exe
2.21.22.144:443
www.bing.com
Akamai International B.V.
CH
whitelisted
4
System
192.168.100.255:138
whitelisted
4392
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4392
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3572
backgroundTaskHost.exe
2.21.22.144:443
www.bing.com
Akamai International B.V.
CH
whitelisted
3572
backgroundTaskHost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3464
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.21.22.144
  • 2.21.22.131
whitelisted
google.com
  • 142.250.184.238
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.140
  • 20.190.160.65
  • 20.190.160.17
  • 40.126.32.74
  • 40.126.32.138
  • 40.126.32.72
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 23.54.109.203
  • 162.159.142.9
  • 172.66.2.5
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
arc.msn.com
  • 20.199.58.43
  • 20.31.169.57
whitelisted
fd.api.iris.microsoft.com
  • 20.105.99.58
whitelisted
api.github.com
  • 140.82.121.5
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
9848
chrome.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
9848
chrome.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
9848
chrome.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
9848
chrome.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
9848
chrome.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
9848
chrome.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
9848
chrome.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
9848
chrome.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
9848
chrome.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
Process
Message
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\scoped_dir7908_836643232 directory exists )